Fixes issues whereby encrypted images were not properly listed due
to not treating them as encrypted, also removes a piece of wrong
hack code that would never run as the primary slot cannot be
encrypted.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds missing fields which were wrongly treated as part of the
operation value, which they were not, and adds a big/little
endian check.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Typecasting pointer variables to uint32_t
instead of uintptr_t was causing build error
on 64-bit architecture.
This is useful, because I am currently working
on implementing support for 64-bit native target
in Apache Mynewt. There is unit test for boot_serial
and it cannot be compiled without this changes.
Signed-off-by: Michal Gorecki <michal.gorecki@codecoup.pl>
According to the SMP protocol documentation [1], 'image number' value
in 'image upload request' is optional and can be included only in packet
with 'off' (data offset) set to '0' (first packet in upload request).
In one of recent changes (commit 'cb07e888691d'), initialization of the
'img_num' variable was removed which, in extreme case (no image number
provided in upload request), results in use of its uninitialized value
in flash_area_open() call which then might lead to request abort.
This fixes above regression and also makes MCUboot implementation of the
'image upload request' aligned with Zephyr documentation of the protocol
by considering image number only from first (off == 0) 'image upload
request' SMP packet. In addition, 'image number' value is set to '0' if
the request doesn't provide this field.
[1] docs.zephyrproject.org/latest/services/device_mgmt/smp_groups/smp_group_1.html
Fixes: cb07e88869 ("boot_serial: Replace cbor auto-generated code with zcbor functions")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The 'matched' param in zcbor_map_decode_bulk() function is 'pointer to
the counter of matched keys', not length of payload buffer.
Fixes: fac2cabe98 ("boot_serial: Add image state set/get")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes an issue which was introduced in commit
fac2cabe98 which would show all
images, including those with invalid headers in the output of
images being listed.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds optional image state set/get functionality to serial recovery
mode which allows for listing image states and marking images to
be tested or as confirmed.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fix usage of zcbor_new_encode_state API, to correctly pass the payload
length. The previous usage was passing a pointer to the end of the
payload, which resulted in the ZCBOR structure being initialized with
an invalid `payload_end` field. On some platforms, this breaks MCUBoot
serial recovery, as the ZCBOR structures required to send response data
are invalid and can no longer be populated with response data.
Signed-off-by: Daniel DeGrasse <daniel.degrasse@nxp.com>
Replaces the auto-generated decoding/encoding files with inline code
for encoding/decoding cbor data structures, this adds the benefit of
allowing the elements to be in any order and reduces code size. To
accommodate this, zcbor_bulk has been imported from Zephyr.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes include paths for zephyr builds to use the system zcbor_*
files rather than the local files.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Adds support for outputting the image hash TLV in serial recovery
mode, which is needed to comply with the img_mgmt MCUmgr group
requirements.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
The mcumgr packet sent over serial should be fragmented into frames of
up to 127 bytes, including 2-bytes frame start header and 1-byte for
terminating newline [1], resulting in up to 124 bytes for the base64
encoded payload.
Current implementation doesn't fulfill above requirement and transmits
single frames, without considering their length. This change introduces
support for fragmenting as defined in 'SMP over console' specification.
[1] github.com/apache/mynewt-mcumgr/blob/master/transport/smp-console.md
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
__packed may not be available in all environments. In such
case just fallback to __attribute__((__packed__)).
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Adds a packed attribute to the nmgr struct to avoid issues on
architectures that do not support unaligned memory access.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
When hooks are enabled then boot_reset_request_hook will be
called to check whether it is allowed to reset a device.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Returned values are now hardcoded. Indeed, while it is not
strictly needed (few return values different from SUCCESS
or FAILURE) complexity added by encoding return values might
cause the software to be vulnerable to fault attacks.
Return type changed from fih_int to fih_ret to make
the whole thing much simpler and therefore more robust
to fault attacks. In addition, its easier to predict
compiler behavior.
Affectation of sentive variables has been hardened using macro
FIH_SET (affectation + check wether write access has been properly
done). FIH_DECLARE() is added to ease the declaration of sentive
variables.
Equality tests fih_eq() and fih_not_eq() are now macros because
inlining produce more complex code (and weaker) than macros.
In addition fih_not_eq is modified to be the negation of fih_eq
which was not the case until now.
when FIH_NOT_EQ is used , FIH_SET(fih_rc, FIH_FAILURE) has been added
in some part of the code.
variable image_mask (bootutil_priv.h) is now volatile because a
double IF test is made on it.
some others parts of the code have been hardenned (eg. loop on images)
Signed-off-by: Michael Grand <m.grand@trustngo.tech>
Fixes a bug when writing to devices which have memory alignment
requirements with data being using directly from a zcbor-response
whereby the alignment of the buffer data does not meet the
requirements of the flash driver.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
There are 3 levels of buffers and only the first one seems to be
configurable, this fixes that issue.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
Fixes an issue whereby rc is a signed variable but is returned as
an unsigned variable in the zcbor functions.
Signed-off-by: Jamie McCrae <jamie.mccrae@nordicsemi.no>
This adds short explanation (in form of a comment) why CPU shouldn't
enter idle state in timeout based serial recovery.
Ref: 3942e9bf8f ("boot_serial: fix serial recovery mode with timeout")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
If 'BOOT_SERIAL_WAIT_FOR_DFU' is selected, the CPU shouldn't enter idle
state, waiting for interrupt from the console because we expect booting
if no mcumgr command is received within a configured timeout (with the
'CONFIG_BOOT_SERIAL_WAIT_FOR_DFU_TIMEOUT').
Without this fix, when using 'BOOT_SERIAL_WAIT_FOR_DFU' the boot process
hangs forever, waiting for input from console.
Fixes: e3822f8180 ("boot_serial: zephyr: Add optional timeout to enter serial recovery")
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The `BOOT_LOG_INF` function, which uses the format specifiers defined
by the C standard, was incorrectly printing a variable with the type of
`off_t` using the `%x` format specifier, which is intended to be used
with the `int` type.
The `off_t` type, specified by the POSIX standard, is not guaranteed to
be `int`, and it may be defined as `long` or `long long` depending on
the toolchain and the target architecture.
This commit updates the print routine such that it casts the arguments
of the `off_t` type to `intmax_t` and prints them out using the
corresponding `%jx` format specifier.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
Add relevant "zephyr/" prefixes to allow building with the Zephyr
option CONFIG_LEGACY_INCLUDE_PATH=n.
Signed-off-by: Fabio Baltieri <fabiobaltieri@google.com>
Add the serial adapter for ESP32 for boot recovery and MCUMGR
communication.
Signed-off-by: Almir Okato <almir.okato@espressif.com>
espressif: Configure console via bootloader_support functions
Signed-off-by: Gustavo Henrique Nihei <gustavo.nihei@espressif.com>
The progressive erase and non-progressive erase code has been
refactored; some additional comments have been added to logic.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Types of a few variables have been changed to more align with
what they represent; variables have been renamed to make their
purpose more clear.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
Move formatting of version string to use snprintf, which Zephyr
provides, instead defining utility function for that purpose.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
cddl-gen has been renamed to zcbor.
Update regenerate_serial_recovery_cbor.sh and regenerate/recopy all
files.
Remove the submodule in ext/ since it is no longer necessary when
the zcbor package is installed (only needed for regeneration, not
for building).
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
In case when echo string would be too long to fit into buffer,
there would be no space left for container termination.
Due to lack of error checking such non-terminated container would
be sent out, where error response should be sent out instead.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
The buf buffer set to collect total console payload consisting
of total size (two bytes), SMP header (eigth bytes), data payload
(bs_obuf, BOOT_SERIAL_OUT_MAX) and CRC (two bytes), pior to base64
encoding has been set to size of BOOT_SERIAL_OUT_MAX.
This means that if output data len, in bs_obuf, would be longer than
BOOT_SERIAL_OUT_MAX - 8 - 2 - 2, then composing of the output buffer
would overflow.
Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
This PR adds the possibility to only enter the bootloader's
serial recovery mode when a mcumgr command is received within a
given timeout.
Signed-off-by: Wouter Cappelle <wouter.cappelle@crodeon.com>